Month: December 2018

The Samsung-exclusive app CNN for Samsung Edge Panel, exists to enable users to get the latest news as an edge-panel. To do this it uses HTTP to get sections, images, headlines, links to articles and report metrics back to CNN. This means that, on an insecure or untrusted network, it’s this possible for a third-party (someone not CNN or the user) to find out how, if and when the app is used, which categories the user is interested in, if they want the US or international version, details about the device, details about the service-provider, the possibility to log or replace any image shown in the app, as well as any title or article link.

The included PoC uses mitmdump and python to extract received telemetry and modify content, replacing headlines, images, and links. While the PoC could use HTTP 301 to move the section-definitions to a third-party server, this has intentionally not been done, in order to ensure it’s easily reversible. As of writing, this exploit works with the most up to date version of the app.

1. On the test PC run: mitmdump -s cnn-edge-panel-01/src/demo.py --anticomp --anticache --ignore :443$2. On the Samsung mobile device: set the test PC as the HTTP proxy of the device3. (not necessary) On the Samsung mobile device: open a browser and go to a website, if you see “… clientconnect” or “GET …” in the window mitmdump terminal, things should be working4. Open the CNN for Samsung Edge Panel app. If the PoC works, you should see all categories being renamed “Hacking”, and all the news being replaced with jokes. Pressing “Hack all the things”, should then open a YouTube video. Additionally, the terminal should have at least one line reading “Got metrics …”, config.outturner.com, metrics.cnn.com, and compositor.api.cnn.com.

Depending on caching, you might experience that the sections retain their unmodified names if this happens but the headlines and such changed, the app didn’t reload edge-config.json but did reload the section. As of writing, it appears edge-config.json has been 404ed, the PoC has been updated to bypass this.

Expected behavior

HTTPS, not HTTP being used in the app, HTTP 301, HSTS on compositor.api.cnn.com